What is a Statement of Applicability (AoA or SoA)?
The Statement of Applicability (SoA) is a mandatory document within ISO 27001. In it you state which security measures (controls) from Annex A of ISO 27001 are or are not applicable to your organization, and why.
The document includes:
- A list of all 93 Annex A measures (2022 version).
- For each measure, an explanation or these:
- Applicable or not applicable
- Why that choice was made
- Any references to policies, risks or technical measures
👉 So it is not a fill-in-the-blanks exercise, but a thoughtful rationale for how your organization handles information security.
Why is the SoA so important?
The VvT is one of the most important documents within your Information Security Management System (ISMS). Here are the main reasons why:
1. It is a mandatory document for certification
Without a current and substantiated AoA, you cannot be certified to ISO 27001.
2. You can be certified against only one measure
ISO 27001 does not require you to implement all 93 measures. You can (theoretically) even certify against just one measure, as long as you properly substantiate it in the SoC. This is exactly why customers often want to see your statement: to assess how mature your ISMS is.
3. Customers and suppliers demand it
More and more organizations are requesting the VvT to assess the extent to which your organization has implemented measures. This is especially important in the supply chain: suppliers working with sensitive data must be able to demonstrate that they are taking appropriate security measures.
Tip: when working with confidential information, also ask your suppliers for their VvT. It gives direct insight into their security level.
What does a good Statement of Applicability look like
An AoA usually follows a set format in tabular form and should contain the following sections:
- The necessary management measures (fully written out);
- A justification for its inclusion;
- The information whether the necessary management measures have been implemented or not;
- The justification for excluding management measures from Appendix A.
Below is a simple example (for some measures):
Note that a good SA is dynamic. The document grows with your organization, your risk assessment and technological developments.
Common mistakes in the VvT
❌ Just checking off without substantiation
❌ Do not update on new risks or measures
❌ No documentation or evidence of implementation
❌ No consideration of the 'reason for non-application'
Summary
The Statement of Applicability is much more than a checklist: it is the heart of your certification. Customers, suppliers and auditors use it to assess whether you really have a grip on risks and are taking appropriate measures.
💡 Want to be well prepared for questions from customers or suppliers? Then start with a clear and well-reasoned AoA.
